The Business Case for Using a Numbered Logarithmic Risk Severity Scale
Donald W. Swallom
U.S. Army Aviation and Missile Command
Keywords: severity, matrix, logarithmic, risk, Richter Scale
Abstract
By the way they are structured, the severity scales of both U.S. Department of Defense (DoD) Instruction 6055.07
dealing with actual accidents, and Military Standard 882 (MIL-STD-882) dealing with potential accidents, do not
adequately address accidents with extremely high dollar or fatality loss. While the threshold for the highest
classification of damage loss has been increased by 6055.07 to $2 million and 882 to $10 million, both up from $1
million, some DoD systems exceed those values by up to three orders of magnitude. The threshold for the highest
injury classification is unchanged at one fatality. A numbered logarithmic severity scale similar to the Richter Scale
used for earthquakes would resolve this deficiency and support classifying and assessing the risk of high-loss
accidents. The new scale would not only improve the risk management of accidents but also would enhance the
Department of Defense application of risk management. It could be further applied on a national basis in support of
Presidential Policy Directive 8 which aims to strengthen the security and resilience of the nation through systematic
preparation for the threats and hazards that pose the greatest risk to U.S. security and well being.
Introduction
Problem. Currently the DoD’s accident classification structure is delineated in DoD Instruction 6055.07, Mishap
Notification, Investigation, Reporting, and Record Keeping, as follows:
Class A mishap. The resulting total cost of damages to Government and other property is $2 million
or more, a DoD aircraft is destroyed (excluding UAS Groups 1, 2, or 3), or an injury or occupational
illness results in a fatality or permanent total disability.
Class B mishap. The resulting total cost of damages to Government and other property is $500,000
or more, but less than $2 million. An injury or occupational illness results in permanent partial
disability, or when three or more personnel are hospitalized for inpatient care (which, for mishap
reporting purposes only, does not include just observation or diagnostic care) as a result of a single
mishap.
Class C mishap. The resulting total cost of property damages to Government and other property is
$50,000 or more, but less than $500,000; or a nonfatal injury or illness that results in 1 or more days
away from work, not including the day of the injury.
Class D mishap. The resulting total cost of property damage is $20,000 or more, but less than
$50,000; or a recordable injury or illness not otherwise classified as a Class A, B, or C mishap. (ref.
1)
In Military Standard 882E (MIL-STD-882E), the severity categories used to assess potential mishaps due to hazard
are as listed in Table 1. The problem with these severity scales is that the top thresholds of each are so much less than
the value of the DoD's most expensive systems. Figure 1 shows these thresholds compared to the most expensive
systems. The threshold barely registers on the chart compared to these systems. Figure 2 shows how much less the
fatality thresholds are than the populations of Nimitz and Ford-Class aircraft carriers and again the thresholds barely
show on the chart.
Table 1 — MIL-STD-882E Severity Categories. (ref. 2)
Description
Severity
Category
Catastrophic
1
Critical
2
Marginal
3
Negligible
4
Mishap Result Criteria
Could result in one or more of the following: death, permanent total disability,
irreversible significant environmental impact, or monetary loss equal to or
exceeding $10M.
Could result in one or more of the following: permanent partial disability, injuries
or occupational illness that may result in hospitalization of at least three personnel,
reversible significant environmental impact, or monetary loss equal to or exceeding
$1M but less than $10M.
Could result in one or more of the following: injury or occupational illness
resulting in one or more lost work day(s), reversible moderate environmental
impact, or monetary loss equal to or exceeding $100K but less than $1M.
Could result in one or more of the following: injury or occupational illness not
resulting in a lost work day, minimal environmental impact, or monetary loss less
than $100K.
$10,000
$9,000
$9,000
System Costs versus Top Severity Threholds
$ Millions
$8,000
$7,000
$6,000
$5,000
$4,500
$4,000
$3,000
$2,000
$1,400
$1,000
$202
$147
$10
$2
C-17
F-22
MIL-STD-882E
Severity 1
Threshold
DODI 6055.7
Class A
Threshold
$0
Ford Class
Carrier
Nimitz Class
Carrier
B-2
Figure 1 — System costs versus top severity thresholds
6,000
5,000
5,680
4,660
System Personnel versus
Top Severity Threholds
4,000
3,000
2,000
1,000
0
Ford Class Carrier
Nimitz Class Carrier
1
1
MIL-STD-882E Severity 1
Threshold
DODI 6055.7 Class A
Threshold
Figure 2 — System personnel versus top severity threshold
This problem is further exacerbated in that both the 6055.07 and 882 scale labels increase in the opposite direction to
increasing severity. This means they must be rescaled in order to accommodate increases because is that there is no
number before "1" and no letter before "A." Had they been numbered or lettered in the same direction as increasing
severity they would only require the addition of a number or letter increment to increase the range of severity covered.
In addition, for both scales there are only 4 levels of severity. In keeping 4 levels, MIL-STD-882E, when it increased
the Severity 1 threshold from $1 million to $10 million, also increased the top value of its lowest severity category,
Category 4, from $10,000 to $100,000 which seems to be rather high for a loss described by its label as "Negligible."
With numbering of the severity categories in the same direction, one could increase the range of severity of the scale
by adding one more level, Severity Category 5, and leaving the original category ranges unchanged.
Background. Before 1989, the threshold for a Class A accident was $500,000. From 1989 to 2009, the threshold for a
Class A mishap was $1 million (ref. 3). Prior to 2000, no dollar values were included with the severity categories in
MIL-STD-882. With MIL-STD-882D, published in 2000, the threshold for a Severity Category 1 was also $1million
(ref. 4). In fact, the suggested mishap severity categories incorporated all the thresholds of the DODI 6055.7. These
thresholds made sense because they were already well known by all those familiar with accident data in the DoD.
After work began in 2004 on a revision to MIL-STD-882D, the attributes of a good risk assessment matrix were
discussed in some detail in a panel discussion held at the 2004 International System Safety Conference. The results of
this discussion were published in the Journal of System Safety in 2005 (ref.5). Also in 2005, the author of this paper
submitted a paper to the 23rd International System Safety Conference (ref. 6) proposing a common risk matrix for all
DoD aircraft. Key to this matrix, shown in Figure 3, was reversing the numbering of the severity scale from that used
in MIL-STD-882D enabling the ability to tailor it to the dollar value and number occupants of a specific aircraft. The
various aircraft are depicted on the matrix by the different patterned lines. This matrix was incorporated as an example
matrix in the February 2006 draft of MIL-STD-882E which eventually was developed by the TechAmerica G48
Committee into ANSI/GEIA-STD-0010-2009 (ref. 7). Also included in the author's 2005 paper (ref. 6) was a matrix
tailored in this same manner for "Spaceship Earth" (Figure 4). This matrix used only 13 categories of severity to assess
hazards up and including those hazards that could end life on this planet.
Figure 3 — A common mishap risk assessment matrix for DoD aircraft systems. (ref. 8)
Hazard Frequency (Mishaps per 100,000 Hrs (11.4 years))
Severity
TBD
TBD
TBD
TBD
TBD
N
M
L
K
J
1E-11
13
$2Q 1B Fatal
Cataclysmic12
$200T 100M Fatal
TBD 11
$20T 10M Fatal
TBD 10
$2T 1M Fatal
TBD
9
$200B 100K Fatal
Disastrous 8
$20B 10K Fatal
Catastrophic 7
$2B 1K Fatal
Catastrophic 6
$200M 100 Fatal
Catastrophic 5
$20M 10 Fatal
Catastrophic 4
$2M 1 Fatal
Critical 3
$200K
Marginal 2
$20K
Negligible$2K
1
1E-10
1E-9
1E-8
End of Life on
Planet Earth
Super Incredibly Extremely
Very
Improbable Remote Occasional Probable Frequent
ImprobableImprobableImprobableImprobable
I
1E-7
H
1E-6
G
0.00001
E
F
0.0001
0.001
D
0.01
C
0.1
B
1
A
10
Earth encounter with an asteroid
High
Serious
Medium
B-2
Low
F-22, C-17
AH-64, CH-47, UH-60
C-12, OH-58D
Small Unmanned Air Vehicles
Figure 4 — A Risk Assessment Matrix Tailored for Spaceship Earth (ref. 9)
Scope. There are four arenas where a numbered logarithmic risk severity scale has benefits. First is the arena discussed
above, DoD accident classification and system safety risk assessment.
Second is the arena of risk management. The U.S. Army's composite risk management, described in Department of
the Army Pamphlet 385–30, is "a continuous process applied across the full spectrum of Army training and operations,
individual and collective day-to-day activities and events, and base operations functions to identify and assess hazards,
develop and implement controls, and evaluate outcomes." (ref. 10). Table 2 is the Standardized Army risk matrix. The
severity categories used by U.S. Army Pamphlet 385-30, are the same as those in MIL-STD-882D with 1 fatality and
$1 million as the top category threshold. Table 3 is the risk acceptance matrix setting risk categories against the
duration of exposure to determine which authority should accept the risk. Figure 5 shows the numbers of soldiers at
each level.
Table 2 — DA Pam 385–30 Standardized Army risk matrix (ref. 11)
Severity
Catastrophic
Critical
Marginal
Negligible
Frequent A
I
II
III
IV
Likely B
E (1)
E (1)
H (2)
M (3)
Probability
Occasional C
Seldom D
E (1)
H (2)
H (2)
H (2)
M (3)
M (3)
L (4)
L (4)
Unlikely E
H (2)
M (3)
L (4)
L (5)
M (3)
L (4)
L (5)
L (5)
Table 3 — DA Pam 385–30 Risk acceptance matrix (ref. 12)
Category of risk
1 month or less
Greater than 1
month, less than
1 year
Duration of risk
Greater than 1
year, less than 5
years
Extremely high
risk
General officer
MSC CG –
General officer
Army
Headquarters CG
ASA(I&E)
High risk
Brigade CO or
responsible O-6
General officer1
MSC CG –
General officer
Army
Headquarters CG
Moderate risk
Battalion CO1 or
responsible O-5
Company CO2 or
responsible O-3
Not required
Brigade CO1 or
responsible O-6
Battalion CO2 or
responsible O-5
Not required
General officer1
General officer1
Brigade CO1 or
responsible O-6
Not required
Brigade CO1 or
responsible O-6
Not required
Low risk
Tolerable risk
Permanent or
greater than 5
years
Chartered
system
development
programs
Component
Acquisition
Executive (CAE)
Program
Executive Officer
(PEO)
Program manager
Program manager
Not required
Figure 5 — U.S. Army Operational Units (ref. 13)
The lowest risk acceptance authorities are company commanding officers (CO) . Companies are composed of 100 to
200 soldiers. This progresses to battalion COs (500 to 600 soldiers) and brigade COs (3,000 to 5,000 soldiers). But
what if an entire Army division (10,000 to18,000 soldiers) is exposed to an operational threat or hazard? How does a
scale dealing with only one or more fatalities handle that? Scenarios like this have occurred. For example, in June,
1991, Clark Air Base in the Philippines was devastated by the eruption of Mount Pinatubo necessitating a massive
evacuation of aircraft, equipment, and about 15,000 personnel to other bases in the Pacific just prior to the event.
Third is the arena of national preparedness. On March 30, 2011 President Obama released Presidential Policy Directive
8 (PPD-8): National Preparedness, which is "aimed at strengthening the security and resilience of the United States
through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts
of terrorism, cyber attacks, pandemics, and catastrophic natural disasters (ref. 14)." A new severity scale would be
useful in support of PPD-8 which aims to strengthen the security and resilience of the nation through systematic
preparation for the threats and hazards that pose the greatest risk to U.S. security and well being. As part of the effort,
the Secretary of Homeland Security led an effort to conduct a strategic national risk assessment (SNRA) to help
identify the types of incidents that pose the greatest threat to the Nation’s homeland security. The SNRA evaluated
the risk from known threats and hazards that have the potential to significantly impact the Nation’s homeland security.
These threats and hazards were grouped into a series of national-level events with the potential to test the Nation’s
preparedness. The report identified 23 of these events listed in Table 4.
Table 4 — Strategic National Risk Assessment (SNRA) National-Level Events (ref. 15)
Threat/ Hazard Group
Natural
Technological/ Accidental
Adversarial/ Human-Caused
Threat/Hazard Type
Animal Disease Outbreak
Earthquake
Flood
Human Pandemic Outbreak
Hurricane
Space Weather
Tsunami
Volcanic Eruption
Wildfire
Biological Food Contamination
Chemical Substance Spill or Release
Dam Failure
Radiological Substance Release
Aircraft as a Weapon
Armed Assault
Biological Terrorism Attack (non-food)
Chemical/Biological Food Contamination Terrorism Attack
Chemical Terrorism Attack (non-food)
Cyber Attack against Data
Cyber Attack against Physical Infrastructure
Explosives Terrorism Attack
Nuclear Terrorism Attack
Radiological Terrorism Attack
Fourth is the arena of global preparedness. Many of the hazards listed in Table 4 also have the potential for global
impact. A pandemic has historically been a source of world-wide risk with such diseases as cholera, influenza,
typhus, smallpox, measles, tuberculosis, leprosy, malaria, yellow fever, and AIDS. Potential pandemic diseases
include viral hemorrhagic fever, previously controlled antibiotic-resistant microorganisms, severe acute respiratory
syndrome (SARS), and H5N1 Influenza (Avian Flu). Some hazards such as earthquake and tsunami can affect
multiple countries and even multiple continents in one event and a collision with a large extraterrestrial object would
destroy all life on our planet.
Desired Outcomes
There are four desired outcomes of implementing a numbered logarithmic risk severity scale corresponding to the four
arenas described above.
Outcome 1. It must support DoD policy regarding the investigation of mishaps and the assessment of environmental,
safety, and occupational health hazards for DoD systems.
Outcome 2. It must be a useful tool to all levels of DoD leadership in employing composite (operational) risk
management for the full range of DoD operations.
Outcome 3. It must be useful in support of national preparedness to include managing the risk of all of the 23events
listed in Table 4.
Outcome 4. It must be useful in support of global preparedness.
Alternatives to be Analyzed
Alternative 1. Keep the current DODI 6055.07 structure for accident classification (A, B, C, D) and MIL-STD-882
severity categories (1, 2, 3, 4) which are not aligned to increase with increasing severity. Continue the current practice
of increasing the severity thresholds every 10 to 20 years making incremental changes that do not approach the
magnitude of the costs of systems in terms of damage or injury.
Alternative 2. Renumber the severity scales using numbers going in the same direction as the increase in severity.
Start numbering with Severity Category 1 for the lowest range of severity and add one severity category for each
10-fold increase in severity. Add categories until the full range of potential loss is covered for a specific system. Do
this for the dollar value of damage and for injuries and fatalities. Eliminate the use of one-word labels (Catastrophic,
Critical, Marginal, Negligible) for each severity category. Descriptions in terms of dollar value of damage and injuries
and fatalities are more meaningful and do not carry any preconceived notions of their meaning as is the case with oneword labels.
Analysis of Alternatives
Alternative 1. The argument for Alternative 1, as far at DODI 6055.07 is concerned, is that the current system works
adequately for its intended purposes. One purpose of the accident classes is to determine the level of effort required
to investigate an accident. Any additional effort over and above that required by the instruction to investigate high
value or high interest accidents will be ordered by the appropriate level of authority anyway. However, what the
current system lacks is a means to differentiate high value Class A accidents from Class A accidents which are barely
in the Class A range. For example, in February, 2008, a B-2 crashed on the runway shortly after takeoff from Andersen
Air Force Base in Guam. As shown in Figure 1, the cost was $1.4 billion. It was just one Class A accident so the
overall Class A accident rate for Fiscal Year 2008 did not increase much. But in terms of dollars lost to Class A
accidents it must have caused a significant jump. In the realm of U.S. Navy aircraft carriers, an accident is a Class A
if one sailor is killed, one aircraft is lost, or the entire ship and its company is lost. There is no differentiation between
them.
In terms of managing risk, the same issue is true; the severity categories do not differentiate between lower value
Class A accidents and truly high value losses in the arena of managing the operational risk to a large installation or
formation of troops.
Alternative 2. The proposed renumbered logarithmic risk severity scale, shown in Figure 6, can easily be expanded to
the size needed for the application. When used in conjunction with a probability scale, one can create a matrix that
can assess hazards with the potential for lost up to and including the entire world population. In this age of nuclear
weapons and other weapons of mass destruction, an accidental or intentional use of such a weapon can easily impact
millions, and in extreme cases, billions. If, for example, the cost of the Ford class aircraft carrier were to increase
significantly the new risk scale can easily accommodate the increase. And the new scale can be used to create a risk
matrix on the scale demonstrated in Figure 4 which can be applied to any of the 23 events in Table 4 plus any threat
or hazard on a global scale. When the world population exceeds 10 billion the scale is easily expandable to 14 levels.
Figures 6 and 7 show how some potential or historic "big" events plot against the new severity scale.
Equally beneficial is the way the new scale makes a risk matrix totally tailorable has illustrated in Figures 3 and 4.
The new scale enables the Figure 3 matrix to expand in Figure 4 to cover the entire risk space of planet Earth, that is,
the full range of severity possible and the full range of probability. The recent changes to the severity scales of both
DODI 6055.07 and MIL-STD-882 only move them up on the severity scale without expanding their range of coverage
very much.
The cost of converting to Alternative 2 in the short term is the same as Alternative 1. The severity scales of both DODI
6055.07 and MIL-STD-882 have recently changed and will have to change again in the future to keep up with
increased costs of accidents. Implementing Alternative 2 would cost no more than this recent change. But in the long
term would cost much less since there is no adjustment needed except for inflation. It would be no cost for additional
data because the cost, injury, and fatality data in the accident databases of the services would not change. The change
would be in the reports generated and initially in such things as describing which severity categories of accident
require a particular level of effort to investigate.
What would change is an improved comprehension for leadership at all levels of the government and for the public,
as well, of the significance of all actual or potential high loss events in the same way that the Richter scale aids in the
comprehension of the severity of earthquake. As shown in Figures 6 and 7, the new scale truly differentiates between
such events.
Also note that the new scale does not use labels such as "catastrophic," "critical," "marginal," or "negligible." As
mentioned earlier, the term "Negligible" as currently defined is inappropriately used to describe severities of loss up
to $100,000. Also, as illustrated in Figure 4, there are not enough words to label 13 levels of severity adequately and,
as today's Richter scale demonstrates, there will be no need for them once the new severity scale becomes commonly
used.
Severity
13 $2Q 1B Fatal
12 $200T 100M Fatal
11 $20T 10M Fatal
10 $2T 1M Fatal
9 $200B 100K Fatal
8 $20B 10K Fatal
7 $2B 1K Fatal
6 $200M 100 Fatal
5 $20M 10 Fatal
4 $2M 1 Fatal
3 $200K
2 $20K
1 $2K
Earth encounter with an asteroid – 7 billion
Deaths to Small Pox in 20th Century - 300 million
World War II – 60 million
World War I – 9 million
1931 Yellow River flood – 1-4 million
American Civil War - 970,000
1970 Bhola cyclone - 500,000+
1938 Yellow River flood - 500,000+
2004 Indian Ocean tsunami - 280,000
Property Loss - Hurricane Katrina - $82 billion
Fatalities - Hurricane Katrina - 1,836
Figure 6 — Severity Categories of Potential or Historic Big Events (ref. 16)
Severity
13 $2Q 1B Fatal
12 $200T 100M Fatal
11 $20T 10M Fatal
10 $2T 1M Fatal
9 $200B 100K Fatal
8 $20B 10K Fatal
7 $2B 1K Fatal
6 $200M 100 Fatal
5 $20M 10 Fatal
4 $2M 1 Fatal
3 $200K
2 $20K
1 $2K
Wars
9
Battles Numbers of events in each category
15
6
Accidents
43
42
25
84
Maritime
10
Aviation
141
161
Figure 7 — Severity of Historic Events Based on Fatalities (ref. 17)
Conclusion
The current severity scales used in DODI 6055.07 and MIL-STD-882E are not structured to deal with the large costs
of the DoD's systems. Top thresholds are too low and the current reversed letters and numbers used to designate the
accident classes and severity categories make it difficult to adjust the scales to reflect the cost realities of our present
and future systems. However, if we adopt a logarithmic risk severity scale numbered to increase in the same direction
as increasing severity, we can use it for the full range of environmental, safety and occupational health risk
management challenges to include even global worst case scenarios for the full range of natural and man-made
disasters.
Recommendation
Begin the transition to the new scale by developing reports and risk assessments based on existing accident and other
disastrous event data. This will help to educate today's environmental, safety and occupational health risk management
personnel and others dealing with these kinds of events on the utility of this tool. It will also help calibrate the thinking
of all government leaders on the meaning of risk assessment in the same way that the Richter Scale helped the scientific
community and general public of the 1930s to comprehend the nature of earthquake severity data.
References
1. Department of Defense Instruction 6055.07, “Mishap Notification, Investigation, Reporting, and Record
Keeping,” Washington, DC: Department of Defense, June 6, 2011, 45-46. Accessed June 18, 2012.
http://www.dtic.mil/whs/directives/corres/pdf/605507p.pdf.
2. Military Standard 882E, "System Safety." May 11, 2012, 11. Accessed June 18, 2012. http://www.systemsafety.org/Documents/MIL-STD-882E.pdf.
3. Undersecretary of Defense for Acquisition, Technology and Logistics, Memorandum, Revision to Cost
Thresholds for Accident Severity Classification. October 5, 2009. Accessed June 18, 2012.
http://www.public.navy.mil/navsafecen/Documents/OSH/oshdata/MRR/DoD-Cost_Thresholds-09.pdf.
4. Military Standard 882D, "Standard Practice for System Safety." February 10, 2000, 18. Accessed June 18, 2012.
http://www.system-safety.org/Documents/MIL-STD-882D.pdf.
5. Clemens, P.L., et al, "The RAC Matrix: A Universal Tool or a Toolkit?" Journal of System Safety, Vol. 41, No. 2,
Mar.-Apr. 2005, 14-19.
6. Swallom, Donald W. "A Common Mishap Risk Assessment Matrix for United States Department of Defense
Aircraft Systems." Proceedings of the 23rd International System Safety Conference, San Diego, CA, August 2005,
3.
7. ANSI/GEIA-STD-0010-2009, Standard Best Practices for System Safety Program Development and Execution,
TechAmerica, Arlington, VA, October 2008, 41.
8. Swallom, "Common Risk Matrix," 3.
9. Swallom, "Common Risk Matrix," 6.
10. Department of Defense Instruction 6055.01, DoD Safety and Occupational Health (SOH) Program, October 14,
2014.
11. DA PAM 385–30, 23.
12. DA PAM 385–30, 30.
13. U.S. Army Operational Unit Diagrams. Accessed June 18, 2012.
http://www.army.mil/info/organization/unitsandcommands/oud/.
14. Presidential Policy Directive 8 (PPD-8): National Preparedness, March 30, 2011. Accessed June 18, 2012.
http://www.dhs.gov/xabout/laws/gc_1215444247124.shtm.
15. The Strategic National Risk Assessment in Support of PPD 8: A Comprehensive Risk-Based Approach toward a
Secure and Resilient Nation, December, 2011. Accessed June 18, 2012. http://www.dhs.gov/xlibrary/assets/rmastrategic-national-risk-assessment-ppd8.pdf.
16. Swallom, Donald W., "Aviation Issues with the MIL-STD-882D Matrix," Tutorial Presented at the 25th
International System Safety Conference, Baltimore, Maryland, August 2007, 39.
17. Swallom, "Aviation Issues MIL-STD-882D Matrix," 40.
Biography
Donald W. “Don” Swallom, Safety Engineer, U.S. Army Aviation and Missile Command, ATTN AMSAM-SFA,
Redstone Arsenal, AL 35898-5000, telephone (256) 842-8641, fax (256) 313-2111, email:
[email protected].
Donald W. “Don” Swallom is a safety engineer with the U.S. Army Aviation and Missile Command Safety Office.
Don holds a Bachelor of Science in Engineering Sciences from the United States Air Force Academy and a Master
of Science in Systems Management from the University of Southern California. Prior to his current position, he
served as a helicopter pilot, staff officer, and developmental engineer in the United States Air Force. His last Air
Force assignment was as the chief of safety for the Arnold Engineering Development Center, the world's largest
complex of aerospace ground testing facilities. He collaborated on the system safety chapter of the Handbook of
Human Systems Integration (John Wiley and Son, 2003). Don is a Fellow member of the International System
Safety Society and a past president of the Tennessee Valley Chapter.